Mercurial > prosody-modules
annotate mod_openid/README.markdown @ 5438:53f34e17d590
mod_auth_oauth_external: Remove untested role mapping
This ... broke things. If brought back, it would need additional
validation.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 10 May 2023 13:43:59 +0200 |
parents | b42eb10dc7d2 |
children |
rev | line source |
---|---|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
1 --- |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
2 labels: |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
3 - 'Stage-Alpha' |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
4 summary: Enables Prosody to act as an OpenID provider |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
5 ... |
1782 | 6 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
7 Introduction |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
8 ============ |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
9 |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
10 [OpenID](http://openid.net/) is an decentralized authentication |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
11 mechanism for the Web. mod\_openid turns Prosody into an OpenID |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
12 *provider*, allowing users to use their Prosody credentials to |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
13 authenticate with various third party websites. |
1782 | 14 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
15 Caveats |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
16 ======= |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
17 |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
18 mod\_openid can best be described as a **proof-of-concept**, it has |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
19 known deficiencies and should **not** be used in the wild as a |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
20 legitimate OpenID provider. mod\_openid was developed using the Prosody |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
21 0.4.x series, it has not been tested with the 0.5.x or later series. |
1782 | 22 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
23 Details |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
24 ======= |
1782 | 25 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
26 OpenID works on the basis of a user proving to a third-party they wish |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
27 to authenticate with, an OpenID *relaying party*, that they have claim |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
28 or ownership over a URL, known as an OpenID *identifier*. mod\_openid |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
29 uses Prosody's built in HTTP server to provide every user with an OpenID |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
30 identifier of the form `http://host.domain.tld[:port]/openid/user`, |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
31 which would be the OpenID identifier of the user with a Jabber ID of |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
32 `user@host.domain.tld`. |
1782 | 33 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
34 Usage |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
35 ===== |
1782 | 36 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
37 Simply add "mod\_openid" to your modules\_enabled list. You may then use |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
38 the OpenID identifier form as described above as your OpenID identifier. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
39 The port Prosody's HTTP server will listen on is currently set as 5280, |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
40 meaning the full OpenID identifier of the user `romeo@montague.lit` |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
41 would be `http://montague.lit:5280/openid/romeo`. |
1782 | 42 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
43 Configuration |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
44 ============= |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
45 |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
46 mod\_openid has no configuration options as of this time. |
1782 | 47 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
48 TODO |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
49 ==== |
1782 | 50 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
51 The following is a list of the pending tasks which would have to be done |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
52 to make mod\_openid fully featured. They are generally ranked in order |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
53 of most importance with an estimated degree of difficulty. |
1782 | 54 |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
55 1. Support Prosody 0.6.x series (**Medium**) |
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
56 2. Refactor code (**Medium**) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
57 - The code is pretty messy at the moment, it should be refactored |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
58 to be more easily understood. |
1782 | 59 |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
60 3. Disable use of "user@domain" OpenID identifier form (*Easy*) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
61 - This is a vestigial feature from the early design, allowing |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
62 explicit specification of the JID. However the JID can be |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
63 inferred from the simpler OpenID identifier form. |
1782 | 64 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
65 4. Use a cryptographically secure Pseudo Random Number Generator (PRNG) |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
66 (**Medium**) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
67 - This would likely be accomplished using luacrypto which provides |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
68 a Lua binding to the OpenSSL PRNG. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
69 |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
70 5. Make sure OpenID key-value pairs get signed in the right order |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
71 (***Hard***) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
72 - It is important that the OpenID key-value responses be signed in |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
73 the proper order so that the signature can be properly verified |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
74 by the receiving party. This may be complicated by the fact that |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
75 the iterative ordering of keys in a Lua table is not guaranteed |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
76 for non-integer keys. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
77 |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
78 6. Do an actual match on the OpenID realm (**Medium**) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
79 - The code currently always returns true for matches against an |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
80 OpenID realm, posing a security risk. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
81 |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
82 7. Don't use plain text authentication over HTTP (***Hard***) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
83 - This would require some Javascript to perform a digest. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
84 |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
85 8. Return meaningful error responses (**Medium**) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
86 - Most error responses are an HTTP 404 File Not Found, obviously |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
87 something more meaningful could be returned. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
88 |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
89 9. Enable Association (***Hard***) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
90 - Association is a feature of the OpenID specification which |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
91 reduces the number of round-trips needed to perform |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
92 authentication. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
93 |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
94 10. Support HTTPS (**Medium**) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
95 - With option to only allow authentication through HTTPS |
1782 | 96 |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
97 11. Enable OpenID 1.1 compatibility (**Medium**) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
98 - mod\_openid is designed from the OpenID 2.0 specification, which |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
99 has an OpenID 1.1 compatibility mode. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
100 |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
101 12. Check specification compliance (**Medium**) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
102 - Walk through the code and make sure it complies with the OpenID |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
103 specification. Comment code as necessary with the relevant |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
104 sections in the specification. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
105 |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
106 Once all these steps are done, mod\_openid could be considered to have |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
107 reached "beta" status and ready to real world use. The following are |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
108 features that would be nice to have in a stable release: |
1782 | 109 |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
110 1. Allow users to always trust realms (***Hard***) |
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
111 2. Allow users to remain logged in with a cookie (***Hard***) |
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
112 3. Enable simple registration using a user's vCard (**Medium**) |
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
113 4. More useful user identity page (***Hard***) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
114 - Allow users to alter what realms they trust and what simple |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
115 registration information gets sent to relaying parties by |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
116 default. |
1782 | 117 |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
118 5. OpenID Bot (***Hard***) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
119 - Offers all functionality of the user identity page management |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
120 |
1885
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
121 6. Better designed pages (*Easy*) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
122 - Use semantic XHTML and CSS to allow for custom styling. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
123 - Use the Prosody favicon. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
124 |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
125 Useful Links |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
126 ============ |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
127 |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
128 - [OpenID Specifications](http://openid.net/developers/specs/) |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
129 - [OpenID on Wikipedia](http://en.wikipedia.org/wiki/OpenID) |